From eb7fad64bc4d4a3df5f7b8121b83b5aa3b6638de Mon Sep 17 00:00:00 2001 From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Date: Wed, 9 Jun 2021 17:44:26 -0400 Subject: [PATCH] Update datafeed_high_count_network_denies.json (#101681) (#101825) add a boolean OR between the two possible field values Co-authored-by: Craig Chamberlain --- .../datafeed_high_count_network_denies.json | 25 ++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_network/ml/datafeed_high_count_network_denies.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_network/ml/datafeed_high_count_network_denies.json index a4412a6d732e..3ff28ef3d8df 100755 --- a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_network/ml/datafeed_high_count_network_denies.json +++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_network/ml/datafeed_high_count_network_denies.json @@ -13,10 +13,29 @@ "term": { "event.category": "network" } - }, + } + ], + "must": [ { - "term": { - "event.outcome": "deny" + "bool": { + "should": [ + { + "match": { + "event.outcome": { + "query": "deny", + "operator": "OR" + } + } + }, + { + "match": { + "event.type": { + "query": "denied", + "operator": "OR" + } + } + } + ] } } ]